Since a single installation of OJS shares user accounts across all journals (which is not the same thing as sharing roles, of course, which can be assigned independently to different journals), the Journal Manager must be able to access the complete list of users e.g. in order to enroll a user as an Author if they've forgotten to choose the "Author" role when registering (or if user self-registration as an author is disabled, which might be the case if the journal has closed or invited authorship).
There are some restrictions in place, i.e. if a Journal Manager tries to use the "Log In As" function on a user account that has roles in other journals that the Manager does not also manage, they will not be allowed. This is to prevent a manager from gaining access to an author's submissions in another journal.
If this is not separate enough, I'd suggest managing several OJS installations rather than sharing a single installation amongst multiple journals. However, I don't think there are security issues beyond a Manager simply being able to see email addresses and names for users outside their journal.
Removing the ability of a Journal Manager to enroll users outside of the current journal will result in a number of administrative headaches -- one of the things users typically do is forget to choose a role, which results in their being enrolled without any roles in any journals. The Manager must be able to correct this situation.
Public Knowledge Project Team